Tuesday, March 8, 2016

The Ukraine power grid cyberattack continued to dominate cybersecurity
news in February as various researchers reported findings from their
investigations of the incident. In other news, researchers discovered sustained
cyberattacks against Japan’s critical infrastructure, most likely perpetrated
by a nearby nation state. Amidst these reports, industrial and critical
infrastructure leaders met to discuss strategies and solutions to protect
against and respond to such attacks, and President Obama revealed his plan to
build a stronger cybersecurity defense posture for the U.S. Underlying these
events is the realization that the attacks against the Ukraine and Japan are
just the beginning.

DHS
researchers have confirmed that the attack on the Ukraine’s electric grid was
by remote control. Malware operated by attackers across the Internet took
control of a SCADA workstation and opened breakers in substations throughout
two power distribution systems. The attackers did this interactively, most
likely the same way a legitimate operator would, by bringing up screens for the
substations one after another and operating the breakers remotely. Firewalls
offer little protection against remote control attacks – once a connection
through a firewall is established, it always permits two-way communications. The
ICS-CERT recommends hardware-enforced unidirectional communications as one way
to eliminate the risk of this class of sophisticated attack.

President
Obama took to the pen to announce his administration’s new Cybersecurity
National Action Plan, which emphasizes updating federal systems and appointing
a CISO to manage those changes. Additionally, the plan focuses on bi-partisan
and private sector collaboration, as well as public education to encourage safe
cyber practices. These proposed activities are all well and good, and over
time, can affect beneficial changes, but as Mr. Obama himself noted, “the
nation’s cyber adversaries [are] getting more sophisticated every day.” When it
comes to protecting critical infrastructure, time is not a luxury we have.

The 20th
annual ARC Industry Forum took place in early February, bringing together 700
participants to discuss innovation in industrial automation and manufacturing.
Not surprisingly, cybersecurity was an important topic at the event,
particularly as it relates to emerging trends, including IIoT and remote
access. Automation World’s Editor-in-Chief, David Greenfield, shines a light on
new cybersecurity developments, highlighting the shift from traditional
IT-style security to solutions designed specifically for industrial control
systems, including Waterfall’s Unidirectional
Security Gateways.

Poor relations between Kiev and Moscow
are likely behind the power grid cyberattack that hit Ukraine in December.
Hackers targeted three power distribution companies in December's attack.
Security software company, Trend Micro said it found the software used to
infect the Ukrainian utilities in the networks of a large Ukrainian mining
company and a rail company. Although no one is certain Russia was behind the
Ukraine power grid attack, one thing is certain: it is certainly possible to
take down a power grid with a cyberattack.

According to
security researchers at Cylance, Japanese critical infrastructure is under
attack by as-yet unnamed attackers. Citing the sophistication, skillset and
financial requirements of the attacks, Cylance believes the attacks are linked
to a nation state, likely China or North Korea. Too often, industrial control
system (ICS) sites dismiss these sophisticated cyber-espionage attacks,
believing there is “nothing worth stealing.” These sites need only look at the
recent Ukraine remote control access to recognize the naiveté of that belief.
ICS sites urgently need to deploy strong protections against targeted attacks,
before any more damage is done.

Thursday, February 18, 2016

Recent reports from the Nuclear
Threat Initiative and Chatham
House, both find that nuclear facilities in many countries are “easy
targets for cyberattacks.” Among problems cited in the reports are a significant
nuclear presence, few government regulations, and inadequate or corrupt
oversight of nuclear facilities.

The reports highlight important issues, but are
disappointing in that they provide little insight into the raw data used to
draw their conclusions. Both reports talk about regulations existing in some
jurisdictions and not in others, and also cite cybersecurity elements of
regulations in some jurisdictions, but not others, but provide no sources.
References to the regulations examined by the authors would help everyone
interested in a deeper understanding access those regulations to understand
them better.

The reports do highlight an important fact – for all the
talk of cybersecurity vulnerabilities, many of the older reactors in the world
are still controlled with analog controls, and those controls are immune to
digital cybersabotage/compromise attempts. Newer reactors though, use digital controls
and so are of greater concern. And even those reactors with analog controls for
the reactor core may use digital controls for other aspects of the reactors,
such as controls for cooling equipment. It was after all, cooling equipment
that was damaged in the Fukishima tsunami, and whose failure ultimately
resulted in explosions and the release of large amounts of radioactive
materials.

Cyberattack tools, like any other software, continue to
evolve and develop more features. As a result, cybersecurity attacks only
become more sophisticated over time. What is today’s “advanced attack” is
tomorrow’s script-kiddie tool. Nuclear generators should be leading the way for
both physical and cybersecurity for industrial control systems. All industrial
sites should be looking to the attacks of concern to nuclear generators and the
defensive systems being deployed to deflect such attacks. What is of concern today
to only nuclear sites will be every ICS site’s problem in only a handful of
years.

Physical and cybersecurity at nuclear sites is a difficult
problem. At Waterfall Security Solutions, we are proud to be part of the
cybersecurity solution at nuclear generators throughout the USA, as well as in
Japan, South Korea and Spain. Waterfall’s Unidirectional Security Gateways
block 100 percent of network attacks originating on external networks at
nuclear generators in these and other jurisdictions.

For more information
on best practices for securing critical infrastructure, visit our Resources page.

Tuesday, February 16, 2016

It’s no surprise the cyberattack on Ukraine’s power grid dominated
industrial control system (ICS) cybersecurity news in January. Following the
news of the power outages and subsequent discovery of malware and other signs
of a purposeful network intrusion, cybersecurity experts, DHS and others have
revealed alarming instances of cyberattacks, increasing vulnerabilities and
lack of adequate cyberdefenses at industrial and nuclear sites, dams and other
critical infrastructure. Perhaps the Ukraine attack is the wake up call the
industry needs to escalate its investment in cybersecurity protections, such as
Unidirectional
Security Gateways. In the meantime, learn more in our roundup of
these stories below.

With all security eyes on the Ukraine’s Prykarpattyaoblenergo
utility, SANS ICS concluded hackers likely caused the outage by remotely
switching breakers, after installing malware that prevented technicians from
detecting the intrusion. The key takeaway is that malware may have enabled the
attack, but it was hackers’ remote access to critical operational networks that
resulted in the outage.

While presenting at the S4x16 conference
in Miami, Marty Edwards, head of the DHS ICS-CERT, cited increased Internet
connectivity and associated vulnerabilities as the main reason behind the rise
in cyberattacks on ICS networks. Others aren’t convinced, believing the recent
Ukraine power grid attack has prompted authorities to look for signs of
intrusion that may not necessarily be intentionally harmful events. From our
perspective, any external intrusion – or even attempted intrusion – of ICSs is
potentially harmful and should be taken seriously. Further, there is no doubt
whatsoever that connecting critical infrastructure directly to the Internet or
indirectly to Internet-accessible networks creates significant vulnerabilities.

According to a distressing report by
the Nuclear Threat Initiative, 20 nations have no apparent government
regulations requiring minimal protection of nuclear power plants or atomic
stockpiles against cyberattacks. The U.S. and many other countries have adopted
strong security postures including physical security measures, removable device
controls, and Unidirectional Security Gateways. This is standard practice in
many jurisdictions and is something that should become standard worldwide for
nuclear facilities.

In this article, industry experts, Paul
Feldman, director of Midcontinent ISO, and Dan Hill, board member for the New
York ISO, explore the new threats to our power systems. They point out that
cybercriminal sophistication has outpaced the resulting regulations and urge
the Federal Energy Regulatory Commission (FERC) and the North American Electric
Reliability Corporation (NERC) to establish industry regulations that reflect
the current threat landscape. Hill and Feldman point out that adequate,
modern ICS security is very different from doing the minimum to be in
compliance and recommend the use of unidirectional security gateways to eliminate
the threat of remote-control and other network attacks from business networks
and from the Internet.

Rob Joyce, chief of the NSA’s Tailored
Access Operations unit, shook up the SCADA security community when he stated, “SCADA
security is something that keeps me up at night.” Referring to the thousands of
ICSs, such as power plants and other critical infrastructure, that are
connected to the Internet without proper protections in place, Joyce singled
out heating and cooling systems as examples that nation-state hackers can use
to infiltrate control systems. He knows this to be true since these same
systems are used as points of ingress by his own team. As alarming as this
seems, it’s the reality we face as more and more industrial control systems are
connected to the Internet.

The report points to an increase in the frequency and
complexity of cyber incidents. ICS-CERT received reports of 295 incidents in
2015, although it is believed that many more went unreported or undetected. Increasingly
capable cyber adversaries who can, and have, defeated traditional IT-centric
security protections perpetrate these attacks.

To mitigate this growing threat, the DHS encourages us to
deploy technology to prevent these increasingly sophisticated attacks.

Ensure proper configuration/patch
management – Unpatched systems are low-hanging fruit for attackers.
What the report does not point out is that patching is costly, and does
little to deter sophisticated attackers, because of the large number of
ICS zero-days waiting to be discovered. The report does point out that
unpatched laptops connecting to ICS networks are a major infection vector.
I agree with this latter point – any laptop or other equipment that is
ever connected directly or indirectly to the Internet must be regarded as
eventually compromised.

Reduce your attack surface – The
report points out that real-time connectivity between ICS networks and
less-trusted networks is best achieved using hardware-enforced
unidirectional communication, such as Unidirectional Security Gateways.

Build a defendable network –
Network segmentation can limit the damage from an intrusion and reduce cleanup
costs by limiting how far the compromise can spread through the ICS
network. Again, the report points out that the best design for transferring
real-time data is unidirectional gateways.

Manage authentication – Adversaries
increasingly focus on stolen credentials, especially for highly privileged
accounts. Among other things, the report recommends employing separate
credentials for corporate networks and industrial control system networks.
I disagree. I think the report would have been more effective recommending
much stronger perimeter protections to lock remote adversaries out
entirely, even those with every password to every ICS computer in the
building.

Implement secure
remote access – The report recommends surveying and systematically
removing vendors’ and other back doors that appear in the form of modems,
DSL lines and other undisciplined connections to outside networks. The report
also recommends unidirectional gateways to enforce “monitoring-only”
access, such as Waterfall’s Remote Screen View product provides. The DHS
cautions against reliance on “read-only” access enforced by software
configurations; no such software provisions can be as safe or reliable as
the hardware-enforced monitoring-only access of Unidirectional Security
Gateways.

The DHS cites the much-publicized and analyzed “Black
Energy” malware as an example relating to direct or indirect Internet
connectivity. Black Energy relies on a connection to a command and control
center on the Internet. The malware uses this connection to receive
instructions, download additional software – such as the “DiskWiper” cited in
the Ukrainian intrusions – and report intelligence gathered about the layout of
the ICS for use in future, more specific attacks.

The example could have been applied much more widely in the
report. In particular, with Unidirectional Security Gateways as the sole
connection between an ICS network and any external network, Black Energy’s
connection to a command and control center is impossible. The gateways send
information where they are configured to send it, not to random IP addresses on
the Internet, or on the corporate network. In addition, the gateways, of course,
permit no software downloads, remote control, or other instructions from a
command and control center back into the protected network.

The report is short, and is very much worth reading.

To learn more about
unidirectional security gateway technology and how it works to protect ICS
networks, visit www.waterfall-security.com.